06 February 2018

Cybersecurity Hiring - An Issue for All

As cyber threats proliferate, organizations looking to fill cybersecurity vacancies need to take concrete steps to reboot recruiting and hiring efforts. Qualified candidates for cybersecurity jobs are scarce and getting scarcer, creating a challenge for companies to properly defend themselves against threats. By 2022, an estimated 1.8 million cybersecurity jobs will go unfilled, according to research by (ISC)2.

It’s a classic supply-and-demand challenge, with too many vacancies for too few candidates. Currently it takes 55% of organizations at least three to six months to fill a cybersecurity vacancy, and 32% spend even more time to find qualified candidates, ISACA has found. In the United States, 27% of companies say they cannot fill cybersecurity vacancies.

To reverse this trend, employers should work on offering attractive compensation packages and creating a career advancement path for qualified candidates. Cybersecurity workers are more likely to accept jobs with companies willing to invest in training and education to update their cybersecurity skills. And as revealed in a recent (ISC)2 report, a greater investment in technology to protect against cyber threats also is needed, since 51% IT workers in charge of security fear their organizations aren’t prepared enough to respond to cyberattacks.

Employers also should work on expanding the talent pipeline, identifying candidates from other fields who can quickly adapt to the cybersecurity profession and stepping up recruitment efforts in demographics that traditionally have been underserved for cybersecurity work – millennials and women. Tapping these sizable talent pools could help reduce the skills shortage.

The State of Cybersecurity Employment

Skills gaps have persisted in the IT industry for decades; something industry trade organization CompTIA has sought to address along the way. At least eight in 10 of U.S. businesses feel adverse effects of this shortage, according to CompTIA. The problem is especially acute – and worrisome because of what’s at stake – in cybersecurity.

The U.S. Bureau of Labor Statistics estimates the number of IT security jobs is expected to have increased 18% by 2024, but as (ISC)2 has discovered, there will be nowhere near enough skilled candidates to fill those jobs. ISACA has found one in five organizations draw fewer than five candidates for each cybersecurity position.

Meanwhile, cyber threats get progressively worse, becoming more frequent and damaging. Studies suggest many organizations need to better prepare to address the cybersecurity challenge. For instance, a Crowd Research Partners study released in early 2017 shows 62% of respondents had moderate to no confidence in their security measures.

The Recruitment Challenge

What makes cybersecurity recruiting such a vexing challenge? It’s a confluence of factors:

Cybersecurity careers remain relatively novel. Most cybersecurity professionals (87%) start out in different work. A student envisioning a technology career is more apt to think about web or mobile app development, not protecting an organization from cyber attacks. However, this dynamic is changing rapidly as colleges expand their cybersecurity curricula, and the cybersecurity field matures.

Hiring practices are problematic. Admittedly, when demand far exceeds supply, even the best recruiters will struggle. That isn’t to say improvements are impossible. Protracted hiring processes can discourage jobseekers, who will find employment elsewhere. In a highly competitive market, hiring must be quick and efficient. Another issue is too often the people recruiting and hiring lack cybersecurity expertise, which can make it difficult to identify the right candidate.

Employers have unrealistic expectations. Employers need to make sure descriptions for cybersecurity positions accurately match the knowledge, skills and abilities the role requires. (ISC)2 research indicates this is an area for improvement, and the same is true of employers’ investment in training and certifications. Only about one-third of respondents (34%) said their company pays for all of their cybersecurity training.

Women are underrepresented. Female cybersecurity workers remain relatively rare. In North America, only 14% of the region’s cybersecurity professionals are women. That compares with 10% in Asia-Pacific, 9% in Africa, 8% in Latin America and 7% in Europe.

Millennials also are scarce. Millennials make up a small fraction of the cybersecurity job market. Millennials are a diverse group with a strong interest in training, mentorship and apprenticeships, areas in which too many of today’s budget-conscious employers could do a better job.

High Stakes

Solving the cybersecurity hiring challenge will take time and effort. In the short term, employers can make progress by adjusting their hiring expectations, streamlining the recruitment process and tapping underserved talent pools.

There’s a lot at stake because organizations need to protect their critical IT assets. As threats proliferate, new tools to combat those threats become available. Companies need to invest in those technologies and the people who run them. This is an ongoing endeavor, which will benefit from upfront investments in hiring and recruiting and in skills development for members of the cybersecurity team. Keeping the skills of cybersecurity workers up to date is essential to the execution of an effective cybersecurity strategy.

How to Attract Qualified Candidates

Successfully filling cybersecurity jobs in such a wildly competitive field takes a refined approach. Here are some recommendations for employers to follow during the recruitment process:

Invest in training and certifications.

Investment in cybersecurity skills through training and certification benefits both the individual and the employer. The cybersecurity field is evolving rapidly to keep up with an ever-changing threat landscape, so security workers need ongoing training to update their skills. Training also has a positive effect on retention. Workers will be less tempted to seek employment elsewhere if they believe their current employers understand the importance of skills development.

Offer career advancement.

Employees view career advancement opportunities as a reason to grow professionally with their employers.. That’s true of any field, including cybersecurity. Too often, employers resist advancing workers when they are doing a good job because they want to protect the organization. But this may have the effect of demoralizing employees who deserve to move up as well as those behind them who are ready take over their positions. Employers should offer advancement paths based on clearly defined achievements and goals, and make that known during the recruitment and hiring process.

Engage cybersecurity workers in decision-making.

Employers are more likely to attract cybersecurity talent by correctly setting expectations and defining responsibilities. This means clearly articulating you recognize the role of cybersecurity professionals is primarily to advise senior management on how to minimize risk. (ISC)2 has found employers often ignore advice from workers in charge of IT security, with only about one-third (35%) of those workers saying management follows their advice. Employers should be realistic with cybersecurity jobseekers about the organization’s culture and willingness to accept advice, all of which directly contribute to the success of the cybersecurity program. Position the cybersecurity role as a valued contributor and advisor to leadership, but don’t oversell it.

Fine-tune recruitment processes.

As already noted, protracted hiring processes discourage job applicants. Managers can improve the likelihood of hiring the best candidates by making a decision as quickly as possible, and not forcing candidates to wait for an answer for weeks or months. To streamline processes, HR and cybersecurity managers should work together to maintain a pool of resumes they can use when needing to fill a vacancy. In addition, keeping staffers with cybersecurity expertise involved in the hiring process is crucial to hiring the best-qualified candidates.

Target untapped talent.

Millennials and women are a largely untapped talent pool for cybersecurity. Employers can get a jump on the talent market by reaching out to female and millennial candidates, both internally and externally. Another area worthy of exploring is to identify professionals in other fields, such as communications, accounting and law enforcement, who could easily adapt to cybersecurity work. The more diverse your cybersecurity team, the more likely it is to develop effective, innovative practices and approaches to the defense of your IT environment. Homogeneous teams tend to get stuck in repeating tired practices, sometimes even after those practices become ineffective.

Partner with school districts and universities.

The IT industry – and by extension the cybersecurity field – can partly address skills gaps by forging partnerships with schools. Getting students interested in cybersecurity in their formative years is an investment in the future, and there are multiple ways to accomplish this:

Sponsor and participate in career days.

Offer internships and apprenticeships.

Actively participate in the educational process with guest lectures at local schools.

Sponsor field trips to data centers and other locations where students can meet cybersecurity workers.

Offer scholarships to deserving students, and target girls and other groups that are underrepresented in the industry.

Offer attractive compensation packages.

Competitive pay isn’t the only way to attract good talent – especially among millennials, who also put a premium on corporate values and career development. Still, compensation is a major factor. When talent is so scarce, employers may have no choice but to offer compensation above the average, coupled with an attractive benefits package and bonus schedule. Employers should also make it a practice to adjust compensation for existing cybersecurity staff to prevent poaching.

Competition for cybersecurity talent is fierce and will get more intense in years to come, as employers try to fill positions from a limited talent pool. In the meantime, cyber threats are likely to continue getting worse, adding pressure to fill vacancies. Organizations need to adopt hiring and recruitment best practices, promote from within when possible, and partner with educational institutions to find and develop cybersecurity talent. Hiring cybersecurity workers is a major challenge that shouldn’t be ignored because there’s so much at stake.

(ISC)² will soon have a report, based on survey research, on how job seekers - and those hiring - can come together to help mitigate the challenge of hiring in cybersecurity. Stay tuned!

Comments

Cybersecurity Hiring - An Issue for All

As cyber threats proliferate, organizations looking to fill cybersecurity vacancies need to take concrete steps to reboot recruiting and hiring efforts. Qualified candidates for cybersecurity jobs are scarce and getting scarcer, creating a challenge for companies to properly defend themselves against threats. By 2022, an estimated 1.8 million cybersecurity jobs will go unfilled, according to research by (ISC)2.

It’s a classic supply-and-demand challenge, with too many vacancies for too few candidates. Currently it takes 55% of organizations at least three to six months to fill a cybersecurity vacancy, and 32% spend even more time to find qualified candidates, ISACA has found. In the United States, 27% of companies say they cannot fill cybersecurity vacancies.

To reverse this trend, employers should work on offering attractive compensation packages and creating a career advancement path for qualified candidates. Cybersecurity workers are more likely to accept jobs with companies willing to invest in training and education to update their cybersecurity skills. And as revealed in a recent (ISC)2 report, a greater investment in technology to protect against cyber threats also is needed, since 51% IT workers in charge of security fear their organizations aren’t prepared enough to respond to cyberattacks.

Employers also should work on expanding the talent pipeline, identifying candidates from other fields who can quickly adapt to the cybersecurity profession and stepping up recruitment efforts in demographics that traditionally have been underserved for cybersecurity work – millennials and women. Tapping these sizable talent pools could help reduce the skills shortage.

The State of Cybersecurity Employment

Skills gaps have persisted in the IT industry for decades; something industry trade organization CompTIA has sought to address along the way. At least eight in 10 of U.S. businesses feel adverse effects of this shortage, according to CompTIA. The problem is especially acute – and worrisome because of what’s at stake – in cybersecurity.

The U.S. Bureau of Labor Statistics estimates the number of IT security jobs is expected to have increased 18% by 2024, but as (ISC)2 has discovered, there will be nowhere near enough skilled candidates to fill those jobs. ISACA has found one in five organizations draw fewer than five candidates for each cybersecurity position.

Meanwhile, cyber threats get progressively worse, becoming more frequent and damaging. Studies suggest many organizations need to better prepare to address the cybersecurity challenge. For instance, a Crowd Research Partners study released in early 2017 shows 62% of respondents had moderate to no confidence in their security measures.

The Recruitment Challenge

What makes cybersecurity recruiting such a vexing challenge? It’s a confluence of factors:

Cybersecurity careers remain relatively novel. Most cybersecurity professionals (87%) start out in different work. A student envisioning a technology career is more apt to think about web or mobile app development, not protecting an organization from cyber attacks. However, this dynamic is changing rapidly as colleges expand their cybersecurity curricula, and the cybersecurity field matures.

Hiring practices are problematic. Admittedly, when demand far exceeds supply, even the best recruiters will struggle. That isn’t to say improvements are impossible. Protracted hiring processes can discourage jobseekers, who will find employment elsewhere. In a highly competitive market, hiring must be quick and efficient. Another issue is too often the people recruiting and hiring lack cybersecurity expertise, which can make it difficult to identify the right candidate.

Employers have unrealistic expectations. Employers need to make sure descriptions for cybersecurity positions accurately match the knowledge, skills and abilities the role requires. (ISC)2 research indicates this is an area for improvement, and the same is true of employers’ investment in training and certifications. Only about one-third of respondents (34%) said their company pays for all of their cybersecurity training.

Women are underrepresented. Female cybersecurity workers remain relatively rare. In North America, only 14% of the region’s cybersecurity professionals are women. That compares with 10% in Asia-Pacific, 9% in Africa, 8% in Latin America and 7% in Europe.

Millennials also are scarce. Millennials make up a small fraction of the cybersecurity job market. Millennials are a diverse group with a strong interest in training, mentorship and apprenticeships, areas in which too many of today’s budget-conscious employers could do a better job.

High Stakes

Solving the cybersecurity hiring challenge will take time and effort. In the short term, employers can make progress by adjusting their hiring expectations, streamlining the recruitment process and tapping underserved talent pools.

There’s a lot at stake because organizations need to protect their critical IT assets. As threats proliferate, new tools to combat those threats become available. Companies need to invest in those technologies and the people who run them. This is an ongoing endeavor, which will benefit from upfront investments in hiring and recruiting and in skills development for members of the cybersecurity team. Keeping the skills of cybersecurity workers up to date is essential to the execution of an effective cybersecurity strategy.

How to Attract Qualified Candidates

Successfully filling cybersecurity jobs in such a wildly competitive field takes a refined approach. Here are some recommendations for employers to follow during the recruitment process:

Invest in training and certifications.

Investment in cybersecurity skills through training and certification benefits both the individual and the employer. The cybersecurity field is evolving rapidly to keep up with an ever-changing threat landscape, so security workers need ongoing training to update their skills. Training also has a positive effect on retention. Workers will be less tempted to seek employment elsewhere if they believe their current employers understand the importance of skills development.

Offer career advancement.

Employees view career advancement opportunities as a reason to grow professionally with their employers.. That’s true of any field, including cybersecurity. Too often, employers resist advancing workers when they are doing a good job because they want to protect the organization. But this may have the effect of demoralizing employees who deserve to move up as well as those behind them who are ready take over their positions. Employers should offer advancement paths based on clearly defined achievements and goals, and make that known during the recruitment and hiring process.

Engage cybersecurity workers in decision-making.

Employers are more likely to attract cybersecurity talent by correctly setting expectations and defining responsibilities. This means clearly articulating you recognize the role of cybersecurity professionals is primarily to advise senior management on how to minimize risk. (ISC)2 has found employers often ignore advice from workers in charge of IT security, with only about one-third (35%) of those workers saying management follows their advice. Employers should be realistic with cybersecurity jobseekers about the organization’s culture and willingness to accept advice, all of which directly contribute to the success of the cybersecurity program. Position the cybersecurity role as a valued contributor and advisor to leadership, but don’t oversell it.

Fine-tune recruitment processes.

As already noted, protracted hiring processes discourage job applicants. Managers can improve the likelihood of hiring the best candidates by making a decision as quickly as possible, and not forcing candidates to wait for an answer for weeks or months. To streamline processes, HR and cybersecurity managers should work together to maintain a pool of resumes they can use when needing to fill a vacancy. In addition, keeping staffers with cybersecurity expertise involved in the hiring process is crucial to hiring the best-qualified candidates.

Target untapped talent.

Millennials and women are a largely untapped talent pool for cybersecurity. Employers can get a jump on the talent market by reaching out to female and millennial candidates, both internally and externally. Another area worthy of exploring is to identify professionals in other fields, such as communications, accounting and law enforcement, who could easily adapt to cybersecurity work. The more diverse your cybersecurity team, the more likely it is to develop effective, innovative practices and approaches to the defense of your IT environment. Homogeneous teams tend to get stuck in repeating tired practices, sometimes even after those practices become ineffective.

Partner with school districts and universities.

The IT industry – and by extension the cybersecurity field – can partly address skills gaps by forging partnerships with schools. Getting students interested in cybersecurity in their formative years is an investment in the future, and there are multiple ways to accomplish this:

Sponsor and participate in career days.

Offer internships and apprenticeships.

Actively participate in the educational process with guest lectures at local schools.

Sponsor field trips to data centers and other locations where students can meet cybersecurity workers.

Offer scholarships to deserving students, and target girls and other groups that are underrepresented in the industry.

Offer attractive compensation packages.

Competitive pay isn’t the only way to attract good talent – especially among millennials, who also put a premium on corporate values and career development. Still, compensation is a major factor. When talent is so scarce, employers may have no choice but to offer compensation above the average, coupled with an attractive benefits package and bonus schedule. Employers should also make it a practice to adjust compensation for existing cybersecurity staff to prevent poaching.

Competition for cybersecurity talent is fierce and will get more intense in years to come, as employers try to fill positions from a limited talent pool. In the meantime, cyber threats are likely to continue getting worse, adding pressure to fill vacancies. Organizations need to adopt hiring and recruitment best practices, promote from within when possible, and partner with educational institutions to find and develop cybersecurity talent. Hiring cybersecurity workers is a major challenge that shouldn’t be ignored because there’s so much at stake.

(ISC)² will soon have a report, based on survey research, on how job seekers - and those hiring - can come together to help mitigate the challenge of hiring in cybersecurity. Stay tuned!

About the (ISC)² Blog

As the certifying body for more than 125,000 cyber, information, software and infrastructure security professionals worldwide, (ISC)² believes in the importance of open dialogue and collaboration. (ISC)² established this blog to provide a voice to certified members, who have significant knowledge and valuable insights that can benefit other security professionals and the public at large.

The (ISC)² blog gives members a forum to exchange ideas and inspires a safe and secure cyber world by supporting the advancement of the information security workforce via a public exchange with a broad range of information security topics.

Whether an (ISC)² member chooses to participate in the (ISC)² blog is his or her own decision. The postings on this site are the author's own and don't necessarily represent (ISC)²'s positions, strategies or opinions. (ISC)² monitors the blog in accordance with the (ISC)² Blog Guidelines, but the bloggers are responsible for their own content – common sense and intelligence should prevail.

Other than links to the (ISC)² website, (ISC)² does not control or endorse any links to products or services provided in this blog and makes no warranty regarding the content on any other linked website.

Those who post comments to (ISC)² blogs should ensure their comments are focused on relevant topics that relate to the specific blog being discussed. (ISC)² reserves the right to remove any post or comment from this site. Should you find objectionable content in this blog, please notify us as soon as possible at blog@isc2.org